What is the cost of ransomware?Sean Sullivan, Security Advisor, F-Secure Labs
It’s become clear to us over the last few weeks that ransomware is changing. Unsurprisingly, it’s changing for the worse (if you look at things from our perspective) and it’s becoming more common.
As with the average legitimate business, ransomware was originally labour-intensive which was a significant overhead. Over time, this cost has reduced and the number of ransomware threats we have seen has risen. Local knowledge has helped the bad guys here – specifically, knowing which anonymous payment mechanisms exist in a given area.
There have been times when we have seen a particular sample of ransomware roll out across the globe – one week spotting it in the UK, the next in the US and so on. This is not a game to them.
The ability to socially engineer somebody into installing malware which encrypts their stuff has been around for years. It’s been ready to go. It’s just the labour-intensive aspect of collecting the money that has kept it from being the business model for crimeware, until now.
Of course, high-end banking Trojans will keep their marketshare, as they go after SMBs with six figure bank accounts. But the average Joe doesn’t have a bank account that desirable. They will, however, be likely to afford £500 to get their personal files and photos back. This makes it a more attractive business model to smaller gangs that are currently engaged in banking trojan activities.
Most recently, we assisted in a joint investigation with the Finnish Police and CERT-FI after a spate of police-themed ransomware hit five million consumers worldwide. When you consider the fee they were asking was €100 (or $300 USD), the profit mounts up quickly.
Of course, some of those victims may have been sensible enough to back up their content on unconnected devices. Most probably didn’t and wanted their stuff back. They could have gone to the police, but this ransomware was designed to isolate victims, giving them only one option, which is to pay up.
The image that appears on the user’s screen to inform them their content has been encrypted may spoof a police message, but it isn’t done convincingly so. Victims often know this is a shake-down, but how many will go to the police when the cyber criminals have told them there is child abuse images on their computer? Likewise, it’s not a problem you would want to type into a web search engine. So people go ahead and do what they can, which is pay the ransom.
Of course, it’s not just consumers who are at risk now. Back in December of last year, in what is becoming an increasingly common media report, a medical clinic in Australia which was hit with a $4,000 AUD demand after its patient records were encrypted. And consumers who use their personal computers to access the corporate VPN will find that CryptoLocker will move into the corporate network too.
So what do businesses need to do? Close all known security gaps by making sure that all software is updated automatically. This will significantly reduce your attack surface in the face of an exploit kit. Also if you are using Java in your organisation, it should be limited to a specific browser which is not used for usual web browsing.
Finally, I would urge any security pro on the frontline to contact a company which recovers hard drives and ask for a quote covering every machine in your organisation. When the budget-holder sees what the potential cost could be to recover from a ransomware attack – including the cost of downtime – it becomes a no-brainer to make sure everything is automatically covered.
Sean Sullivan is a security advisor at F-Secure Labs